CSO roundtable: The economy’s effect on security management

These aren’t fun times for security. The industry is typically facing lean budgets and, in some cases, significant staffing cuts. Despite the trimming effects of an economic slow-down, today’s chief security officers have to face new security threats in addition to the threats that have never gone away. In light of this predicament, SecurityInfoWatch.com asked six top corporate security directors from ASIS International’s CSO Roundtable (an invitation-only group of senior security executives) how they were dealing with economic pressures and changing threat vectors. What we found is that they’re generally having to reexamine their priorities, stay vigilant for changing security needs, and try to be more nimble than ever in how they respond to incidents and prepare for the future.

The CSOs who shared their thoughts included the following:

Charles BaleyCharles Baley. ASIS International CSO Roundtable member Chuck Baley is the director of corporate security for Farmers Insurance Group. The Farmers Insurance Group of Companies is the country's third-largest insurer of personally owned passenger automobiles and homeowners insurance. The company has close to 20,000 employees and operations in 41 states. Baley is a graduate of The University of Chicago’s Booth School of Business.

Regis BeckerRegis W. Becker, CPP. Becker is the global director of security and compliance and chief compliance officer for PPG Industries. PPG Industries is an international manufacturer of coating and specialty materials used in a variety of manufacturing industries. Prior to PPG, Becker served as director of corporate security for Praxair Inc. and as manager of special investigations for Union Carbide Corporation. Before working in corporate security, Becker worked as an FBI special agent; he began his law enforcement career in the district attorney’s office of Allegheny County (Pa.). He currently co-chairs the Advisory Board of ASIS International's CSO Roundtable.

Chad CallaghanChad Callaghan, CPP, CSC, CLSD. Callaghan is vice president of enterprise loss prevention for international hotel chain Marriott International; he has worked for Marriott for more than 30 years. Callaghan is the chair of the Lodging Sector for the Department of Homeland Security Commercial Facilities Coordinating Council, a past chairman of the American Hotel & Lodging Association Loss Prevention Committee, and a past member of the executive committee of ASIS International’s board of directors. He has helped plan security for the Atlanta and Salt Lake City Olympic Games.

Walter FountainWalter Fountain, CPP. Fountain is the director of enterprise security for Schneider National, a very large transportation services company based in Green Bay. Despite the “national” in its name, Schneider National actually now operate s multi-nationally, and its services include trucking and rail-based transportation of goods as well as logistics services. Fountain has been involved with ASIS International’s education programs and serves on the Security Council of the American Trucking Associations (ATA) as treasurer.

Ed McDonoughEdward McDonough, CPP, CFE. McDonough is the director of global security for Tyco International, having entered the company through its ADT division before being appointed as ADT’s security director in 2001 and then moving in 2003 to his director of global security role at parent company Tyco. McDonough has held security director positions at Barnett Bank, Dominion Bancshares, The First National Bank of Pennsylvania and Sears, and before joining Tyco he operated an independent security consulting company.

Michael OsborneMichael Osborne, CPP. Osborne is director of global security for Kinross Gold Corporation. He provides security oversight for this publicly traded, Canadian-based gold mining company with mines and projects in the United States, Brazil, Chile, Ecuador and Russia, and he manages security for approximately 5,500 employees worldwide.

All six of our roundtable participants noted that they were faced with “doing more with less” and, now more than ever, were having to think critically about the management and operations of their security department. Here’s what they had to say…

The current business mantra seems to be “Do more with less”, and this has affected security and risk departments as well as all business units. How are you doing more with less?

Baley: You are absolutely correct; there is definitely an ever increasing mantra to “do more with less”. This actually caused us to take a strategic view of our security plan. We revisited our plan and really drilled down on our priorities and revised existing profiles related to risk mitigation and response. Since we fully expect the climate, in terms of cost allocation and constraints, to harden more before it expands, we refined and reprioritized our goals. WE matched our internal skill sets and resources with our goals and then identified challenges, obstacles, and constraints toward attainment. We were able to focus our financial resources toward our highest priority goals and in many cases identify nonfinancial solutions to other strategic goals. At least in the short run this has helped us become a much more efficient and effective department. It is amazing, as smart as we often feel we are, we do fall into that rut of maintaining certain practices, services, subscriptions, etc., because we always have done so, rather than on a continuing validated need.

Fountain: We have taken a more inclusive approach to assigning responsibility for security matters. For example, we don’t have the travel budget to get to every location for an on-site vulnerability assessment, so we used an interactive survey conducted by operational personnel at the site to conduct the annual assessments. We then review the assessments with a committee of subject matter experts to direct mitigation strategies. Another example might be the execution of the passport rules for land border crossing under WHTI. In the past, this would have been a security-led effort due to the personnel security overtones. However, we shifted this to an operations-led project with security input. In sum, it isn’t so much about doing more with less, but rather doing focused and priority work with less.

Becker: One big way is in the investigations arena. We have eliminated our corporate security investigations manager so I am now much more involved in the investigative process. We are also leveraging other corporate departments (human resources, internal audit, and finance) to assist in investigations. Finally we have retained a contract investigator at a much lower rate.

Osborne: Stretching security is a continuous theme throughout the business world. Security systems and programs must show value to the business. That value can be shown in such areas as theft detection, information security and personnel security. In order to develop and implement an effective and robust program, cost efficiency is a top concern. By performing vulnerability assessments focused on key assets and critical equipment, we have reduced our security system capital expenditures through reallocating current resources whose protective value was providing little or no value to areas requiring a higher protective element. This reallocation translates to a better, less expensive protective element that is measurable and demonstrates value.

McDonough: Cost is becoming a significant issue and concern and I think most of us are feeling some budget constraints. In these times, security directors are being asked to do the best we can with either what we already have or to reduce spending. As a way to help cut costs, we are also using guard watch solutions in combination with video cameras to supplement existing security officers and possibly replace guards on third shifts and weekends when facilities are less occupied. Another way many companies are cutting costs is by using video conferencing and other communication technologies as a way to save on travel expenses. However, the fact remains that travel is an absolute necessity at a global enterprise and we are doing a better job of partnering with our business units to ensure travel is business necessary. As an example we have stretched the time for certain risk assessments or security compliance audits from annual to once every 18 months.

Callaghan: CSOs who are truly engaged have to balance the realities of the economy with the risks inherent in their businesses. An example of how to balance the two is by conducting risk assessments on the products, services or properties you are protecting and then developing cost-effective measures to replace security staff with more efficient security technology.

How has the current state of the economy affected the risk and threat vectors you are presented with? For example: Are you facing an increase in property-type crimes? Workplace violence? Data theft?

Callaghan: There is no question that crime and threats have increased over the past 12 months or so in our business. Our internal investigations has so much demand that the staff has developed an "investigations hierarchy", effectively limiting the level of their involvement to cases that have a high value or executive interests. It appears that many people, both guests and employees are being impacted by the economy, leading some to pursue illegal means to compensate.

Fountain: Actually, no. We are seeing less crime-related impacts on our business. I would chalk this up to a couple of efforts. First, and perhaps foremost, was our ramping up of emphasis on these issues through training and awareness efforts. We started this about 18 months ago when we first saw the beginning of the downturn. The other action we have taken is to be more selective about the experience and qualifications of our workforce. This has led to a more proactive and mature approach to crime issues in all of our operations.

Baley: Internally, there has not been a significant affect in risk or threats. I attribute this mostly to the planning, resilience, and open communication between management and personnel. For the most part positions are secure and the company continues to maintain profitability. Externally, there have been some predictable affects. We are an insurance company and therefore have experienced increased incidents in fraudulent claims based upon a customer’s inability to meet financial obligations related to their vehicle, home, or business. This was anticipated and in most cases detected so the ultimate impact is mitigated. This effective detection of claim fraud has also generated increased threats by claimants against our personnel associated with the claim. We have been able to mitigate most of these increases through the training of our personnel, refining targeted response at the early onset of every incident, and increasing utilization of local law enforcement resources as appropriate. We have identified some risk triggers that we monitor very closely as our customized early warning signs of future trouble. We may need to engineer a response, but we should have some advanced notice even if it is only in the form of a heightened probability of occurrence.

Becker: We have seen only anecdotal evidence of this. For instance, in Spain we had a major sabotage-related product spill costing hundreds of thousands of dollars after we announced layoffs in the plant.

McDonough: Given the current economic turmoil, workplace violence, workplace threats and aggressive behavior are becoming issues that we’re finding ourselves dealing with more regularly. To help deal with the problem, we recently conducted a series of internal webinars to train human resources managers as well as business unit managers and supervisors on identifying possible workplace violence issues and how to manage situations or individuals that need attention.

Osborne: The current globally economy has required enhanced security measures surrounding key assets and critical equipment. The number of attempted property crimes at sites has increased as well as fraud matters. As the population continues to be affected financially, the motive and rationalization for these crimes rises. Establishing security systems and anti-fraud programs to increase protection and controls is imperative. Global security started collaborative efforts with risk management and internal audit to identify areas where controls are lacking and high risk items are identified. This effort allows for information to be shared within various groups and [it allows] mitigation strategies to be developed and rolled out to the site levels. One area in particular of focus has been our vendor managed programs. Proactive reviews were conducted in these areas and found instances of inflated invoicing and product substitution. We have also discovered greater exceptions in our warehouses for consumable items. Tighter controls and improved processes have reduced these exceptions.


How do you make your security department even more nimble and able to focus quickly on emerging concerns?

Fountain: The short answer is by opening up and becoming more transparent to the leadership and workforce. We have made a concerted effort to become more engaged in activities rather than succumb to the temptation of pulling in and husbanding one’s resources. This has made us more aware of potential challenges before they become issues. It has also made it easier to spread the responsibility for security more equitably and appropriately.

Becker: It is actually easier because reduced headcount forces you to get closer to the client businesses and, and with fewer administrative tasks due to lower headcount, you have more time to engage on emerging issues.

Osborne: The security strategy being implemented moves from a compliance-based approach to a performance-based program. A performance-based program immediately provides a measured value back to management and holds each individual site accountable for their performance. This strategy ensures the proper physical security components as well as human resources are in place, thus increasing effectiveness and cost efficiency. The performance-based program allows for early identification of trends and potential issues associated with each site. A defined and robust information collection program further detects issues and trends affecting the protection of critical areas. The most important aspect is to train the individuals responsible for the security activities at each site and to provide clear guidelines and expectations.

Baley: If we learned anything from this experience, it is that you need to revisit and revise your strategic plan. If it is not already a dynamic plan focused in part as a learning model to predict future events and trends, it really needs to be. Our old model of being, in large part, a response driven function needs to be challenged and changed. We are probably not going to have the luxury of surplus resources, including personnel, just in case they are needed. We are going to need to be focused more on predictive modeling and prevention methodologies to more effectively manage resources and protect our assets. We are also going to need to identify more synergies for collaboration with other business units. The days of siloed functionality and the total autonomy of corporate security are probably over.